[原文]** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Microsoft ISA Server contains a flaw that may lead to an unauthorized password exposure. It is possible to gain unauthorized access to Base64-encoded passwords when Basic authentication is configured on the "Incoming Web Requests" listener. If a Web publishing rule is configured for both "SSL required" and "User authentication" the ISA server will forward Basic authentication credentials of users to published web sites with HTTP instead of HTTPS. This may allow an attacker to monitor the communication and gain access to the unencrypted password.
Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.